Suspicious Regsvr32 Execution From Remote Share

Aug 12, 2024 · attack.defense-evasion attack.t1218.010 ·

Detects REGSVR32.exe to execute DLL hosted on remote shares

Sigma rule (View on GitHub)

 1title: Suspicious Regsvr32 Execution From Remote Share
 2id: 88a87a10-384b-4ad7-8871-2f9bf9259ce5
 3status: test
 4description: Detects REGSVR32.exe to execute DLL hosted on remote shares
 5references:
 6    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-10-31
 9tags:
10    - attack.defense-evasion
11    - attack.t1218.010
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        - Image|endswith: '\regsvr32.exe'
18        - OriginalFileName: '\REGSVR32.EXE'
19    selection_cli:
20        CommandLine|contains: ' \\\\'
21    condition: all of selection_*
22falsepositives:
23    - Unknown
24# Decrease to medium if this is something common in your org
25level: high

References

Follina Exploit Leads to Domain Compromise

In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also k…

Read More

Suspicious Regsvr32 Execution From Remote Share

Sigma rule (View on GitHub)

References

Follina Exploit Leads to Domain Compromise

Related rules